From 77a698c7c36f269fe3dc22ea7bdc382a10aa87ff Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 23 May 2021 17:19:28 +0200
Subject: [PATCH] update

---
 logical/blackadder.nix | 18 ++++++++++++++++++
 modules/lumi-vpn.nix   |  2 +-
 nix/sources.json       | 34 +++++++++++++++++++++++++++++-----
 nix/sources.nix        |  5 ++++-
 physical/3950x.nix     | 16 +++++++++++++---
 roles/workstation.nix  | 10 ++++++++++
 services/pub.nix       |  4 ++++
 7 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/logical/blackadder.nix b/logical/blackadder.nix
index 033b617..4f0abcd 100644
--- a/logical/blackadder.nix
+++ b/logical/blackadder.nix
@@ -5,6 +5,8 @@
       ../roles/workstation.nix
     ];
 
+  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
   system.stateVersion = "19.09";
 
   yorick.lumi-vpn = {
@@ -12,6 +14,8 @@
     mtu = 1408;
   };
 
+  xdg.autostart.enable = false;
+
   services.znapzend = {
     enable = true;
     pure = true;
@@ -30,4 +34,18 @@
       };
     };
   };
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess"
+  '';
+
+  nix.trustedUsers = [ "lars" ];
+  users.users.lars = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood"
+    ];
+  };
+  virtualisation.docker.enable = true;
 }
diff --git a/modules/lumi-vpn.nix b/modules/lumi-vpn.nix
index e49e0b1..78ec185 100644
--- a/modules/lumi-vpn.nix
+++ b/modules/lumi-vpn.nix
@@ -17,7 +17,7 @@ in
     };
     mtu = mkOption {
       type = types.int;
-      default = 1371;
+      default = 1371; # 1408 at home
     };
     ip = mkOption {
       type = types.str;
diff --git a/nix/sources.json b/nix/sources.json
index e25c1ec..62ea370 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -1,4 +1,16 @@
 {
+    "emacs-overlay": {
+        "branch": "master",
+        "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
+        "homepage": "",
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
+        "rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91",
+        "sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f",
+        "type": "tarball",
+        "url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "niv": {
         "branch": "master",
         "description": "Easy dependency management for Nix projects",
@@ -31,15 +43,27 @@
         "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
     },
     "nixpkgs": {
-        "branch": "nixos-unstable",
+        "branch": "master",
         "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
         "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "733e537a8ad76fd355b6f501127f7d0eb8861775",
-        "sha256": "1rjvbycd8dkkflal8qysi9d571xmgqq46py3nx0wvbzwbkvzf7aw",
+        "rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2",
+        "sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/733e537a8ad76fd355b6f501127f7d0eb8861775.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs-mozilla": {
+        "branch": "master",
+        "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)",
+        "homepage": "",
+        "owner": "mozilla",
+        "repo": "nixpkgs-mozilla",
+        "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
+        "sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6",
+        "type": "tarball",
+        "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-wayland": {
diff --git a/nix/sources.nix b/nix/sources.nix
index b796fff..1938409 100644
--- a/nix/sources.nix
+++ b/nix/sources.nix
@@ -98,7 +98,10 @@ let
       saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
       ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
     in
-      if ersatz == "" then drv else ersatz;
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
 
   # Ports of functions for older nix versions
 
diff --git a/physical/3950x.nix b/physical/3950x.nix
index f757370..23f79ec 100644
--- a/physical/3950x.nix
+++ b/physical/3950x.nix
@@ -12,13 +12,23 @@ in
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
   boot.kernelModules = [ "nct6775" ];
-  boot.kernelPackages = pkgs.linuxPackages_5_9;
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
   networking.hostId = "c7736638";
   services.zfs.autoScrub.enable = true;
   services.zfs.trim.enable = true;
   hardware.bluetooth.enable = true;
 
   networking.useDHCP = false;
-  networking.interfaces.enp9s0.useDHCP = true;
-  boot.kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" ];
+  networking.usePredictableInterfaceNames = false;
+  networking.bridges.br0.interfaces = [ "eth0" ];
+  networking.interfaces.br0.useDHCP = true;
+  # systemd.network.links."98-namepolicy" = {
+  #   matchConfig.OriginalName = "*";
+  #   linkConfig.NamePolicy = "mac kernel database onboard slot path";
+  # };
+  boot.kernelParams = [
+    "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0"
+    # thunderbolt
+    "pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc"
+  ];
 }
diff --git a/roles/workstation.nix b/roles/workstation.nix
index b36dac8..96ee28b 100644
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@@ -99,4 +99,14 @@ in
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;
 
   yorick.lumi-vpn.enable = true;
+
+  services.pipewire.enable = true;
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-wlr
+      xdg-desktop-portal-gtk
+    ];
+    gtkUsePortal = true;
+  };
 }
diff --git a/services/pub.nix b/services/pub.nix
index 8b7d340..a8cc787 100644
--- a/services/pub.nix
+++ b/services/pub.nix
@@ -7,6 +7,10 @@ let cfg = config.services.yorick.public; in
   };
   #imports = [../modules/nginx.nix];
   config = lib.mkIf cfg.enable {
+    systemd.services.nginx.serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindReadOnlyPaths = [ "/home/public/public" ];
+    };
     users.extraUsers.public = {
       home = "/home/public";
       useDefaultShell = true;